The first tech companies to offer bug bounties—where payment is offered to hackers who find vulnerabilities in the code—were web browser makers; Netscape kicked things off in 1995 and Mozilla did the same in 2004.

The goal is to get hackers to tell an at-risk company about a bug before the exploit becomes publicly known. It's a win-win for the hackers and the businesses—why block the bad guys when the more mercenary hackers can help shore up security?

By 2010, bug bounties became big business with players like Google, Facebook, Yahoo, and Microsoft all offering up large sums. Plenty of others—like Tesla, Yelp, Reddit, Square, 1Password, Pinterest, and Uber—have since joined the party, but bug bounties aren't limited to tech companies. Finance, healthcare, and government entities offer bounties because they're desperate to stay ahead of the next major breach.

Bug bounties have become so commonplace that third-party brokers like BugCrowd and HackerOne exist to connect hackers with bounty money. As of May 2017, HackerOne has paid out $16 million to the 100,000 hackers in its network alone, who have fixed 44,000 vulnerabilities. That's a lot of good work—for a lot less money than a true hack can cost a company in money and reputation.

The bug rewards are naturally getting better and better, with a 47 percent increase from 2015 to 2016. The proliferation of bounties and brokers has led to what the latest BugCrowd State of the Bug Bounty report calls "Super Hunters." They're hackers so Boba Fett-esque that the top 10 collected 23 percent of all the payouts.

Naturally, there are also some negatives. Companies like Exodus Intelligence, for example, offer higher bounties than the big companies; it went so far as to more than double the reward Apple offers for certain bug exploits in iOS: $500,000 compared to Apple's $200,000 max. Exodus also offer $125,000 for Microsoft Edge bugs and $150,000 for Google Chrome bugs. It then sells a subscription to companies that includes that bug info. That isn't necessarily bad—finding vulnerabilities is important and paying a company like Exodus is probably better than paying or losing millions after a hack.

One thing Exodus, governments, and all the software makers are particularly interested in: zero-day exploits. That's a type of vulnerability neither users nor software makers know exist, sometimes until it's too late; the FBI has used them to snare child pornographers. Of course, once used, such vulnerabilities are no longer secret and get patched fast.

It's big, these bugs. Important for everyone. Maybe especially for the hunters, as it can help them make a living. Below, take a look at a few of the biggest payouts yet in the bountiful field of bug bounties. If you know about some bigger bounties, let us know in the comments.

1Microsoft: $200,000

In the summer of 2012, Microsoft handed out $260,000 to hackers as part of its Blue Hat security contest, and $200,000 of that went to one man, Columbia University PhD student Vasilis Pappas. He (and the other two winners) were among about 20 who submitted solutions for a Return-Oriented Programming (ROP) problem that hackers used to get around security controls. Pappas created kBouncer, a program that mitigages anything that looks like ROP. Those looking to one-up Pappas can submit papers to Blue Hat now.

2Department of Defense: $150,000 in a Month

For one month in 2016, the DoD under the Obama administration literally said: "Hack the Pentagon!" Two-hundred and fifty hackers went after bugs in the agency's systems, and found 138 vulnerabilities worth closing up. The total payout to hackers was $150,000—which then Secretary of Defense Ashton Carter said was about $850,000 less than it would have cost to get a professional security audit. The whole thing was managed by HackerOne.

3Google: $100,000

The Vulnerability Rewards Program (VRP) at Google (now Alphabet; VRP encompasses all properties like YouTube, Gmail, Blogger, etc.) dates back to 2010. It has since paid out $9 million, one-third of which went out in 2016 alone. Last year, most bugs targeted holes in the Chrome browser and the Android mobile operating system.

Google says its biggest single payout in 2016 was $100,000, though it didn't elaborate on what issue was solved. This year, hackers can potentially nab double that: Google just upped the biggest prize for Android bugs to $200,000.

Google will also double the bounty if the bug hunter donates all of it to charity—it donated $130,000 in 2016.

4United Airlines: 1 Million Miles

Launched in 2015, United Airlines's bug bounty program rewards those who hack the company website—the all-important portal for booking flights. At least one researcher allegedly had to shame United into fixing a known problem. But other researchers are cool with the results, such as Kyle Lovett at Cisco and Jordan Wiens of Vector35, who both received a million miles of flight credit with United—enough for about 20 round trips within the US.

5Facebook: $40,000

Facebook established a bug bounty program in July 2011 and has since paid out $4.3 million to over 800 researchers. Its largest single payout went to Russian security researcher Andrew Leonov, who found a flaw in some third-party photo-editing software that would have allowed a "remote code execution"—putting bad code into Facebook itself. It was actually a known problem Facebook thought it solved, but Leonov bypassed the social network's fix and got $40,000 for his find.

6Yahoo: $15,000

Jouko Pynnönen of Finland received a $10,000 bounty from Yahoo—twice. Each time he found a flaw within Yahoo Mail, each with the same impact—attackers could read the email messages of a victim. Researcher Ibraham Raafat, meanwhile, plugged a hole Flickr that gave him access to sensitive info, which earned him $15,000.

7Apple: We'll See

But its top-tier reward—$200,000—is pretty sizeable. All you have to do is circumvent iOS' "secure boot"—which prevents insecure programs from starting at reboot. Apple will also match bounties if the hacker donates to charity.

Smaller bounties await for other categories, provided you're a part of the small, invite-only team of researchers Apple hopes will squash its bugs. If your invite got lost in the mail, Exodus is offering $500,00 for any zero-day exploits in iOS.

About the Author

Eric narrowly averted a career in food service when he began in tech publishing at Ziff-Davis over 20 years ago. He was on the founding staff of Windows Sources, FamilyPC, and Access Internet Magazine (all defunct, and it's not his fault). He's the author of two novels, BETA TEST ("an unusually lighthearted apocalyptic tale"--Publishers' Weekly) an... See Full Bio

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.